Bug #7179
open
Capture Kernel Drops happen when data transferring inside the intranet
Added by Samiux A about 2 months ago.
Updated about 1 month ago.
Description
Mode : IDS with af-packet
Suricata : 7.0.6 and below with hyperscan
OS : Debian 12.x
Capture Kernel Drops only happens when data transferring between machines inside the intranet.
There is no detail in this report. Why do you believe there is a bug?
It is because it only happens when the large data (for example, 10Mb) exchange between machines in the intranet. It does not happen when the large data is exchange between machine and remote server (internet), for example, download large file.
How much data? What protocols? How many flows? Please include such detail in your report.
How to get such data? Get from the stats.log?
I have a NextCloud machine in the network. When I paste a file (size 7.6MB) to the NextCloud directory via Linux file manager, there is no kernel drop observed. However, when I paste a file (size 7.9MB) to the NextCloud directory via Linux file manager, there is a 3 to 4 kernel drop observed. If I paste a file large than 10MB or above, the large number of kernel drop can be observed according the file size.
When the file size is below 7.6MB, there is no kernel drop observed.
Meanwhile, I do not use DAV or HTTP protocol (and not HTTPS) to paste the file to NextCloud, I think it is TCP protocol.
The network is connected with 1000Mbps network interface cards.
Please close this thread as the problem is solved by changing the settings in suricata.yaml.
Also available in: Atom
PDF